How to recover the AveksaAdmin account password in RSA Identity Governance & Lifecycle 7.0.2 P02 and above

2 years ago

Originally Published: 2017-08-02

Article Number

000063454

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2 P02+

Issue

Starting in RSA Identity Governance & Lifecycle 7.0.2 P02, the AveksaAdmin Account password is hashed and encrypted in a format that is unique to each installation.

When importing data containing this password after performing a new installation or upgrade, RSA Identity Governance & Lifecycle creates a marker KEK file, called Xmk.key, which links the hashed and encrypted AveksaAdmin password to a specific deployment. After the Xmk.key file is created, RSA Identity Governance & Lifecycle handles subsequent attempts to import the AveksaAdmin password in the older format, or attempts to manually edit the AveksaAdmin password in the database, as potential tampering.

Restoring the AveksaAdmin password may be required in the following circumstances:

The AveksaAdmin password is lost or forgotten and needs to be reset.
After a new installation or upgrade, more than one attempt to import an old AveksaAdmin password has been detected, and the AveksaAdmin account has been locked out due to possible tampering. If this happens, the following symptoms may be seen:
- Logging in to the AveksaAdmin account results in an invalid credentials error message.
- A security-type event is logged in the Admin Errors table, with the follwing description:

Super Admin account access denied.

The event contains the following details:

Super admin password tampering has been detected. Password recovery steps must be taken before login to the Super Admin account is allowed, please consult documentation.

The T_AV_EVENT and T_AV_EVENT_INFO tables contain a failure audit event of type SUPER_ADMIN_ACCESS with the details:

Possible Super Admin account password tampering detected, access denied.

The aveksaServer.log may have the following error:

9/05/2017 12:39:56.288 ERROR (default task-16) [com.aveksa.server.authentication.AuthenticationProviderServiceImpl] Error while fetching the super admin password 
java.lang.IllegalStateException: An issue with handling encryption was encountered 
at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:507) 
at com.aveksa.server.authentication.AuthenticationProviderServiceImpl.loginSuperAdmin(AuthenticationProviderServiceImpl.java:615) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.checkOldPassword(ModifySystemSettingsDialogData.java:604) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validatePassword(ModifySystemSettingsDialogData.java:445) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validateData(ModifySystemSettingsDialogData.java:489) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleSubmit(ModifySystemSettingsDialogData.java:196) 
at com.aveksa.gui.pages.base.data.dialog.EditableDialogPageData.handleRequest(EditableDialogPageData.java:45) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleRequest(ModifySystemSettingsDialogData.java:179) 
at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:597) 
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:340) 
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:271) 
at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:184) 
at com.aveksa.gui.core.MainManager.doGet(MainManager.java:128) 
at com.aveksa.gui.core.MainManager.doPost(MainManager.java:420) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) 
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) 
at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:53) 
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) 
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) 
at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20) 
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) 
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) 
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) 
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) 
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) 
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) 
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) 
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) 
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) 
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) 
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) 
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) 
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) 
at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:172) 
at java.security.AccessController.doPrivileged(Native Method) 
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:169) 
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) 
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) 
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
at java.lang.Thread.run(Thread.java:748) 
Caused by: com.aveksa.common.crypto.EncryptionException: Value to be decrypted has no associated encryptor for its embedded key version: keyVersion[EAn]; Value[ENCAEAn(zwF...)] 
-- Check that the security key file is not missing 
at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:501) 
... 53 more 
09/05/2017 12:39:56.291 ERROR (default task-16) [com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData] Authentication Exception while checking for password 
com.aveksa.server.authentication.AuthenticationProviderServiceException: Error while doing the authentication 
at com.aveksa.server.authentication.AuthenticationProviderServiceImpl.loginSuperAdmin(AuthenticationProviderServiceImpl.java:667) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.checkOldPassword(ModifySystemSettingsDialogData.java:604) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validatePassword(ModifySystemSettingsDialogData.java:445) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validateData(ModifySystemSettingsDialogData.java:489) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleSubmit(ModifySystemSettingsDialogData.java:196) 
at com.aveksa.gui.pages.base.data.dialog.EditableDialogPageData.handleRequest(EditableDialogPageData.java:45) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleRequest(ModifySystemSettingsDialogData.java:179) 
at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:597) 
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:340) 
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:271) 
at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:184) 
at com.aveksa.gui.core.MainManager.doGet(MainManager.java:128) 
at com.aveksa.gui.core.MainManager.doPost(MainManager.java:420) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) 
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) 
at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:53) 
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) 
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) 
at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20) 
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) 
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) 
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) 
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) 
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) 
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) 
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) 
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) 
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) 
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) 
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) 
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) 
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) 
at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:172) 
at java.security.AccessController.doPrivileged(Native Method) 
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:169) 
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) 
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) 
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
at java.lang.Thread.run(Thread.java:748) 
Caused by: java.lang.IllegalStateException: An issue with handling encryption was encountered 
at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:507) 
at com.aveksa.server.authentication.AuthenticationProviderServiceImpl.loginSuperAdmin(AuthenticationProviderServiceImpl.java:615) 
... 52 more 
Caused by: com.aveksa.common.crypto.EncryptionException: Value to be decrypted has no associated encryptor for its embedded key version: keyVersion[EAn]; Value[ENCAEAn(zwF...)] 
-- Check that the security key file is not missing 
at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:501) 
... 53 more

Resolution

For remediation of this issue, please call RSA Customer Support and refer to this article.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles